Problems getting the Log Receiver / ILA to function properly

InControl Frequently Asked Questions
Post Reply
Peter
Posts: 657
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Problems getting the Log Receiver / ILA to function properly

Post by Peter » 11 Feb 2013, 14:55

This FAQ applies to:
  • Clavister InControl version 1.30 and up
Question:

My ILA/Log receiver is not receiving any logs from my Security Gateways and i cannot do any log data queries, how can I troubleshoot?

Answer:

There are several steps to follow in order to get the log receiver to be able to receive logs from an SGW. So it may be multiple problems that are occurring that is hindering the logs from properly being received by the log receiver.

Below is a checklist you can use to try locate the problem:
  • 1. Make sure that the required .NET version is installed Log Receiver Machine.

    2. Make sure that the required Microsoft Visual C++ 2008 SP1 redistributable is installed.

    3. Make sure that the Log Receiver service / ILA is running on the Log Receiver Machine.

    4. Make sure that the Log Receiver service / ILA is having sufficient write access rights in the target log storage area.

    5. Make sure that the require ports are open on the Log Receiver Machine’s firewall.
    5.1. The ports that need to be opened are
    5.1.1. 999 UDP – This is used by the SGW’s to send logs to the Log Receiver.
    5.1.2. 5555 TCP/UDP – These are used by the InControl Server to communicate to the Log Reciever / ILA. Making configuration changes, doing log data cube inquires etc.

    6. Make sure that there is nothing between the SGW and the Log Receiver Machine that blocks the incoming UDP log packets from the SGW. These traverse UDP port 999 as specified in 5.1.1.
    6.1. Sending logs directly over the internet is not advisable as:
    6.1.1. UDP does not have any verification that the packet actually arrives. So there is no verification that the log database contains all the logs. If you do want to send it over the internet as the SGW and Log Receiver are located at different geographical locations, it is recommended to encapsulate the logs in e.g. and IPsec tunnel.

    7. Make sure that the SGW is configured correctly and that log connections are being created towards the Log Receiver Machine. You can check this using the "connections -show -destip=<LogReciverIP> -protocol=udp"

    8. If the SGW sending the logs is being NAT'ed by something, the ILA will reject the packets as they are arriving from a source IP address not specified in the log data (Internal note : ICC-5130). If you want to use NAT to send the firewall logs to InControl you have to use Reverse Netcon/Device Initiated netcon in order for it to work.

    9. Additional information about what the Log Receiver / ILA is doing can be provided by:
    9.1. Stopping the Log Receiver / ILA service first.
    9.2. Start the Log Receiver or ILA using the following syntax example "ILA.exe /debug".
    9.2.1. In case you need Clavister support help, piping the output to a file then send it to Clavister support is recommended. "ILA.exe /debug >log.txt".
In any of the instances where you suspect that a port is blocked, you can always use PCAP/Wireshark to perform some packet captures on e.g. the Log Receiver Machine to see if packets are arriving from the expected source IP(s).

Post Reply